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I..  INTRODUCTION 


A.  INTRODUCTION 

The  Internet  contains  over  15,000  autonomous  networks,  with  over  1.8  million  hosts 
world  wide  (Brand,  1995).  The  World  Wide  Web  (WWW)  is  a  multimedia  subset  of  the  Internet 
that  allows  its  users  to  observe  hypertext,  graphics,  video,  and  audio  data  (Little,  1994). 

Although  smaller  than  its  parent,  the  WWW  has  an  estimated  two  million  viewers  in  the 
households  and  business  of  the  world  in  1994  (Little,  1994). 

The  future  of  electronic  business  on  the  Internet  v^ll  most  likely  be  the  World  Wide  Web 
(WWW).  The  graphical  nature  of  the  WWW  makes  it  easy  to  use  for  both  computer  literate  and 
non  literate  users  alike.  This  ease  of  use  that  is  the  cornerstone  of  the  WWW,  has  led  to  its 
recent  explosion  of  use  (Brands,  1995).  Many  companies  have  already  branched  out  into  the 
WWW  for  not  only  reaching  an  ever  increasing  customer  base,  but  also  to  maintain  a  steady 
forum  for  communications  for  their  employees.  A  good  example  of  this  is  the  J.C.  Penney 
Company. 

In  the  past  year  J.C.  Penney  has  established  a  WWW  presence  for  customers  to  review 
the  latest  merchandise  via  the  WWW's  graphical  interface,  thus  reaching  a  new  market  of 
potential  customers.  In  addition,  J.C.  Penney  has  also  established  an  internal  web  for  access  by 
their  employees.  This  internal  web  is  used  for  providing  guidance  and  policy  to  all  employees, 
computerizing  some  training  material,  and  latest  sales  information.  (Lessa,  1995) 

This  explosion  and  its  expected  rapid  growth  has  brought  many  to  the  conclusion  that 
the  WWW  may  be  used  for  commerce,  not  only  for  large  corporations,  but  for  almost  any  small 
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business  with  a  computer,  a  modem,  and  a  phone  line.  The  key  reasons  why  the  WWW  is 
ideally  suited  for  commerce  is  its  relatively  low  entry  cost,  low  printing  and  distributions  cost, 
multimedia  applications,  data  automation,  rapid  customer  feedback,  and  immediate  information 
updates  (Little,  1994)  In  anticipation  of  the  commercial  jump  into  the  WWW,  may  companies 
have  begun  to  offer  different  types  of  financial  services  (Dukach,  1992;  Stien,  1994; 
Medvinsky,  1993;  Wall  Street  Journal,  1994). 

B.  OBJECTIVES 

The  vast  influx  of  financial  transaction  mechanisms  (FTM)  on  the  market  may  have  left 
many  users  confused  on  which  is  best  suited  for  their  WWW  applications.  First,  It  is  the  goal  of 
this  thesis  to  establish  a  criteria  forjudging  a  FTM.  Secondly  it  will  use  this  criteria  in  a 
comparison  of  current  FTMs.  Third  it  will  make  a  recommendation  for  the  use  of  a  FTM  for 
Decision  Net  (DNet). 

Decision  Net  is  a  WWW  application  that  has  the  primary  goal  of  providing  decision 
support  (DS)  technology  to  users  via  the  Internet.  The  primary  architecture  for  DNet  will  have 
DS  technology  providers  leaving  their  software  packages  on  their  own  systems.  This  will  keep 
both  maintenance  and  publication  costs  low.  DNet  will  then  provide  the  necessary  overhead  to 
establish  connection  from  the  decision  support  platforms  and  the  WWW.  The  customer  will 
access  the  decision  support  technology  via  the  DNet  Yellow  Pages.  Although  DNet  is  not 
currently  a  commercial  venture,  if  it  were  to  enter  the  commercial  market  place  it  would  need  a 
means  to  to  recover  cost  associated  with  the  creation  of  the  necessary  overhead,  and  provide 
financial  restitution  to  the  provider  of  a  technology  being  accessed.  (Bhargava,  1996) 
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Of  all  the  FTMs  currently  being  used  on  the  WWW,  two  have  been  chosen  based  upon 
prominence  in  their  realm,  these  are;  First  Virtual  (FV),  and  Netbill. 

C.  METHODOLOGY 

Becuase  financial  transactions  on  the  WWW  are  still  relatively  new,  most  of  the 
material  can  not  be  located  in  traditional  bibliographical  sources  that  are  associated  with  normal 
research.  The  majority  of  research  material  was  downloaded  from  various  WWW  sites  across 

the  globe.  Due  to  the  fluid  nature  of  WWW  resources,  when  possible  the  vital  web  pages  were 
collected  and  placed  into  the  Appendix. 

In  addition  to  the  WWW  sites,  interviews  were  conducted  when  needed  via  electronic 
mail  with  individuals  within  the  organizations. 


II.  PROBLEM  DEFINITION 


Four  major  difficulties  face  an  individual  in  the  selection  of  a  FTM  for  their  use.  The 
first  is  the  rather  large  number  of  FTMs  on  the  market,  while  the  second  is  the  lack  of  standards 
and  compatibility  amongst  the  systems.  The  third  is  the  type  of  company  that  is  requesting 
services,  and  the  fourth  is  the  threats  that  are  facing  the  users  of  an  FTM.  Each  of  these 
problems  will  effect  the  development  of  a  criteria  for  the  selection  of  a  FTM,  and  will  be  briefly 
discussed. 

A.  NUMBER  OF  FINANCIAL  TRANSACTION  MECHANISM 

At  a  quick  glance,  the  number  of  FTMs  available  to  the  public  are  significant.  They 
range  from  small  entrepreneurs  (First  Bank,  1994)  to  large  financial  institutions  (Siino,  1994). 
Each  FTM  follows  a  separate  format  for  the  exchange  of  funds  between  the  customer  and  the 
supplier. 

B.  LACK  OF  STANDARDS 

As  with  any  emergent  technology,  one  of  the  greatest  problems  that  the  FTM  world  faces 
is  compatibility.  Several  standards  bodies  are  looking  into  the  security  of  electronic  commerce 
for  the  WWW  (Spyglass,  1994).  However  with  no  single  dominant  member  of  the  market,  many 
companies  are  pushing  forward  with  their  ‘stove-pipe’  systems  with  one  hand  while  ‘working’ 
with  the  standards  body  with  the  other  hand  (Spyglass,  1994;  Deephouse,  1995). 

One  of  the  more  active  bodies  attempting  to  provide  commerce  standards  for  the  WWW 
is  the  Internet  Engineering  Task  Force  (TTEF).  However,  as  with  most  standards  bodies,  the 
work  is  slow  due  to  the  attempt  to  accommodate  all  points  of  views.  Although  not  an  official 
standards  body,  the  World  Wide  Web  Consortium  (W3C),  works  with  the  ITEF  to  help  bring 
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concepts  and  designs  for  open  commerce  protocols  to  the  WWW  in  a  swifter  fashion.  With  that 
said,  neither  body  has  made  in  significant  gains  in  developing  an  acceptable  system.  (W3C, 

1995;IETF,  1995) 

C.  TYPES  OF  COMPANIES 

The  companies  that  would  use  a  FTM  vary  in  type  and  fimction.  However,  I  have  broken 
them  into  three  basic  categories  based  upon  the  type  of  goods  or  services  offered.  The  three 


categories  are: 

►  Direct  sales:  By  far  the  largest  type  of  company  that  can  be  found  using  a  FTM. 
Direct  sales  will  include  the  purchase  of  a  wide  range  of  goods  that  could  include 
computer  software,  clothing,  and  art  work. 

Infonnation  Sellers:  There  are  two  basic  types  of  information  sellers.  They 

include  those  that  actively  seek  unknown  information  and  those  that  hold  a 
repository  of  known  data. 

►  '  Agents  and  Brokers:  The  first  type  of  information  sellers  are  active 

hunters  of  on-line  material.  Whether  a  highly  intelligent  program 
(Agents)  or  a  person  (Broker)  they  provide  the  service  of  hunting  for 
information,  then  charge  funds  based  on  the  detail  of  the  search  and 
length  of  time  spent  on  the  search.  Agents  and  brokers  are  relatively  new, 
and  may  be  a  possible  future  for  the  internet  and  WWW. 

►  Warehouses:  the  second  type  of  infonnation  seller  is  Warehouser.  These 
companies  establish  a  vast  store  or  databases  that  may  contain  intelecutal 
property  of  one  form  or  another.  This  information  can  either  be  sold  by 
the  page  or  complete  unit. 

►  Clubs  or  Organizations:  The  last  of  the  categories  provides  payment  for  locations 
within  the  WWW  notaccessible  by  the  general  public.  This  area  is  highlighted 
for  the  use  of  specific  intrest  groups. 

Although  each  group  has  special  needs,  each  has  to  have  a  base  system  that  is  suitable  to 
their  requirements.  Throughout  the  development  of  the  criteria,  specific  benefits  and  detriments 


to  a  company  type  will  be  highlighted. 


6 


D.  THREATS 


Although  threats  abound  in  a  relatively  new  technology  dependent  system  such  as  the 
Internet,  the  focus  for  this  discussion  will  be  on  what  I  feel  are  the  two  primary  threats.  These 
are  the  hackers  and  the  sniffers.  (Tardif,  1995) 

1.  Hackers 

Hackers  are  a  group  of  individuals  that  have  developed  a  great  amount  of  computer 
skills.  These  skills  allow  them  to  actively  ‘break’  into  the  computer  files  of  the  system  that  they 
are  targeting  (Fitzgerald,  1993).  The  first  hackers  were  thought  of  in  a  'romantic'  air,  breaking 
into  systems  for  the  challange.  However  as  the  skills  began  to  proliferate,  the  break-ins  become 
more  and  more  hostile.(Tardif,  1995) 

2.  Sniffers 

When  the  Internet  was  originally  designed  it  was  built  to  help  facilitate  the  free  flow  of 
information,  even  at  times  of  national  crisis.  To  create  an  architecture  that  would  aid  this  flow, 
many  networks  were  connected  in  a  vast  number  of  configurations.  If  one  route  was  lost, 
another  would  exist  to  take  its  place.  (Tardif,  1995) 

This  openness  is  key  to  the  sniffers  ability  to  commit  attacks.  When  a  data  packet 
journeys  to  its  destination,  it  will  travel  through  several  networks  (Fitzgerald,  1993).  It  is  at 
these  locations  that  a  sniffer  can  intercept  the  data,  read  or  alter  its  contents,  and  then  send  it  on 
its  way.  If  precautions  are  not  taken,  the  person  receiving  the  file  may  never  know  if  the  data 
has  been  compromised.  (Tardif,  1995) 
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E.  LOOKING  FORWARD 

The  problems  that  face  an  FTM  and  therefore  commerce  on  the  WWW  are  quite  broad  in 
scope.  It  is  hoped  that  the  criteria  detailed  in  the  following  chapter  will  provide  the  reader  the 
necessary  tools  to  determine  if  a  particular  FTM  meets  the  goals  that  a  user  requires. 
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III.  CRITERIA  FOR  FINANCIAL  TRANSACTION  MECHANISMS 

The  largest  single  problem  facing  full  integration  of  the  WWW  into  the  business 
mainstream  is  the  lack  of  a  secure  mechanism  to  conduct  financial  transactions  (Gelormine, 
1995).  The  factors  facing  a  suitable  financial  transaction  mechanism  (FTM)  are  very  wide  in 
scope,  and  vary  in  importance  in  the  opinion  of  the  different  developers.  I  will  attempt  to 
narrow  the  focus  by  concentrating  on  the  xmique  problems  involved  with  third  party  transaction 
systems.  With  that  in  mind  it  will  be  necessary  to  identify  the  players  involved  with  the  generic 
third  party  FTM.  Four  groups  will  be  identified  as  having  an  interest  in  the  FTM,  these  four  are; 

►  Seller:  The  Seller  is  the  individual  or  company  that  is  offering  information, 
goods,  or  services  for  sale. 

►  Buyer:  The  Buyer  is  the  individual  that  is  willing  to  financial  compensate  the 
Seller  for  delivery  of  information,  goods  or  services. 

►  FTM  Service  Provider:  The  FTM  Service  Provider  (or  simply  the  Provider) 
provides  the  conduit  for  financial  compensation.  They  establish  the  rules  by 
which  both  the  Seller  and  Buyer  must  agree  in  order  to  close  a  transaction. 

►  Threat:  The  Threat  comes  in  the  form  of  Hackers,  Crackers,  or  Sniffers  that,  for 
their  own  reasons,  have  attempted  to  ‘break’  a  Providers  services. 


Even  by  focusing  on  the  generic  third  party  FTM  system,  the  number  of  variables  are  far 
too  numerous  to  do  a  detailed  analysis.  To  that  end,  criteria  need  to  be  developed  to  help 
evaluate  individual  FTMs  and  determine  if  they  are  suitable  for  use  in  either  the  government  or 
private  sector.  I  have  chosen  four  areas  that  I  feel  the  industry  is  focusing  on.  These  areas  will 
be  the  deciding  factor  in  both  the  acceptance  of  the  FTM,  and  its  continued  success.  The  four 
focus  areas  are  security  concerns,  traceability  or  lack  of  it,  the  system’s  ease  of  use,  and 
transferability  between  customers.  The  four  areas  are  not  exclusive  sets,  and  will  often  overlap 
amongst  themselves.  When  this  occurs,  every  effort  will  be  made  to  establish  this  link. 
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A.  SECUMTY 


The  foremost  of  area  of  concern  is  that  of  security.  News  reports  constantly  emphasis  the 
facts  of  Hackers/Crackers  that  have  broken  into  the  phone  systems  and  banks  at  an  alarming  rate. 
(Carter,  1995)  With  financial  transactions  starting  to  go  across  the  WWW,  it  will  not  take  long 
for  these  cyber-criminals  to  start  developing  tools  to  steal  (hacker)  or  intercept  (sniffer)  FTM 
signals.  This  threat  would  be  detrimental  to  not  only  the  merchant  that  would  lose  revenue,  but 
also  the  customer  who  might  lose  credit  card  numbers,  or  the  FTM  provider  that  would  lose  the 
good  will  of  its  clients.  It  is  for  these  reasons  that  security  of  an  FTM  is  the  most  vital  of  focus 
areas. 


Because  security  can  cover  such  a  wide  range  of  topics,  I  have  broken  it  into  two  distinct 
functions.  Although  they  overlap  in  some  areas,  I  feel  that  they  perform  separate  goals  and 
should  be  addressed  separately.  The  functions  consist  of  integrity  and  reliability. 

1.  Integrity 

Integrity  of  an  FTM  is  a  pivotal  concern  to  all  members  involved  in  a  financial 
transaction.  Although  a  rather  broad  term,  integrity  of  a  system  could  be  exhibited  by  the 
following.  (Janson,1995) 

►  Debit  authorization  forms  (checks)  must  be  electronically  signed  by  the  purchaser 
prior  to  the  release  of  funds  to  the  seller. 

►  Each  signed  check  must  be  unique,  so  that  the  seller  (or  sniffer)  can  not  resubmit 
the  payment. 

►  Receipt  of  goods  or  services  should  be  available  for  the  purchaser. 

►  A  guarantee  of  payment  from  the  buyer  to  the  seller  prior  to  the  transfer  of  goods 
or  services. 

►  The  ability  for  the  buyer  to  view  the  goods  prior  to  the  transfer  of  funds.  (Easy 
for  viewing  goods  via  pictures,  difficult  if  attempting  to  view  information.) 
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Integrity  of  a  system  can  be  difficult  to  engineer.  For  example,  the  last  two  criteria 
appear  to  run  contrary  to  each  other.  The  provider  needs  to  determine  whether  they  are  serving 
the  seller  or  the  buyer.  One  that  is  serving  the  buyer  will  have  a  emphasis  towards  viewing  a 
product  prior  to  payment,  while  a  provider  favoring  a  seller  will  ensure  that  payment  is  received 
prior  to  the  release  of  the  product.  In  addition,  the  type  of  seller  will  determine  the  integrity. 

For  example,  an  Information  Seller  would  be  able  to  show  a  prospective  customer  the 
information  first  hand.  However,  it  would  be  difficult  to  have  Direct  Sales  let  a  Buyer  hold  the 
object  being  purchased. 

An  FTM  that  has  strong  integrity  security  would  exhibit  all  of  the  above  in  varying 
degrees.  Most  current  FTMs  on  the  market  offer  only  a  few  of  the  four  criteria,  making  integrity 
one  of  the  driving  concern  in  the  FTM  selection.  Figure  1  gives  the  evaluation  scale  to  be  used 
for  integrity. 


Criteria  Values  3 
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Figure  1  Criteria  for  Security;  Integrity 
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2.  Reliability 

The  second  security  issue  deals  with  reliability.  Although  it  may  have  the  appearance  of 
being  less  important  then  integrity,  reliability  still  plays  a  major  role.  Issues  that  need  to  be 
addressed  when  looking  at  the  reliability  of  a  FTM  system  should  include  the 
following.(Janson,1995) 

►  Due  to  the  global  presence  of  the  WWW,  transactions  must  be  able  to  be  handled 
24  hours  a  day,  seven  days  a  week. 

►  Payments  must  be  completed.  No  payment  should  be  partially  completed. 

►  The  FTM  system  should  have  back-up  capability  to  allow  for  system  down  time. 

An  FTM  offered  on  the  market  should  be  able  to  answer  the  concerns  of  a  either  the 
buyer  or  seller  as  the  reliability  of  the  hardware  that  the  FTM  is  running.  In  addition  the  FTM 
should  provide  reliability  statistics  for  both  hardware  and  software  downtime  to  prospective 
customers  and  current  users  on  request.  Figure  2  shows  the  criteria  scale  for  reliability. 
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Figure  2  Criteria  for  Security:  Reliability 
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B.  TRACEABILITY 


Although  security  is  vital  to  the  establishment  of  a  truly  successful  FTM,  it  can  not  be  the 
only  criteria.  In  the  civilian  world  the  second  highest  priority  is  most  likely  traceability.  The 
traceability  concern  has  its  roots  in  the  privacy  of  individuals  to  interact  without  interference 
from  external  scrutiny.  The  key  violation  of  traceability  comes  from  the  inevitable  “paper  trail” 
that  follows  any  transactions.  In  most  FTMs  this  paper  trail  is  located  in  a  centralized  database 
(Cox,  1994).  This  database,  if  obtained,  could  be  used  for  activities  ranging  from  massive  direct 
marketing  campaigns,  focus  for  criminal  activity,  or  illegal  search  of  information  by  law 
enforcement  authorities. 

In  addition,  not  only  should  the  paper  trail  be  of  concern,  but  also  the  content  of  the 
purchase  and  for  what  amount.  There  is  a  fine  line  between  providing  sound  privacy  for  the 
users  of  an  FTM  system,  and  accidentally  breaking  tax  laws.  Although  the  Internet  does  not 
respect  the  bmmdaries  of  states  or  nations,  its  users  will  be  expected  to  comply  with  all  the  laws 
in  their  respective  local  areas.  The  tax  codes  vary  from  state  to  state,  but  each  requires  payment 
of  a  sales  tax  on  some  goods.  In  addition,  transactions  in  excess  of  $10,000  are  subject  to 
scrutiny  by  the  IRS.  (IRS,  1996) 

To  help  identify  if  a  FTM  is  providing  reasonable  privacy,  but  not  breaking  any  existing 
laws,  the  following  list  of  criteria  could  be  used. 

►  Secure  servers,  using  the  highest  technology  of  fire  wall  protection. 

►  Proper  tax  filling  procedures,  or  instructions  on  purchases  of  excessive  size. 

►  Alternative  individual  identification  formats. 

►  Multi-level  security  for  customer  database  files. 
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It  should  be  obvious  that  the  transferability  issue  and  the  security  (particularly  integrity) 
are  closely  related  in  many  ways.  But  it  should  be  noted  that  the  Buyer  should  imderstand  what 
level  of  privacy  he  can  expect  with  a  system.  If  it  is  an  issue  for  the  user,  than  they  should  look 
closely  to  the  FTMs  approach.  Figure  3  shows  the  criteria  scale  for  transferability. 


Criteria 

Figure  3  Criteria  for  Traceability 
C.  EASE  OF  USE 

The  third  primary  criteria  for  the  selection  of  a  FTM  is  the  systems  ease  of  use.  Since  the 
home  computer  market  has  opened,  the  number  of  users  has  grown  significantly  each  year.  The 
primary  reason  for  this  continued  growth  is  the  ever  increasing  ease  of  use  of  the  systems.  In  the 
PC  realm,  the  first  systems  ran  using  DOS  operating  system.  It  was  difficult  to  master, 
configure,  and  operate.  This  led  to  only  a  handful  of  users.  When  Microsoft  introduced  its  1.0 
version  of  the  Windows  software,  an  interface  that  made  miming  the  computer  much  easier,  in 
1983  the  PC  industry  had  sold  approximately  500,000  units.  (Poisson,  1995) 


14 


By  the  time  Microsoft  released  its  3.0  version  of  Windows  in  May  of  1990,  the  number 
of  single  computer  users  had  jumped  to  9.8  million.  Of  this  number  over  8  million  were  based 
on  the  Intel  family  of  microprocessors.  More  startling  perhaps  is  that  another  1.3  million  of  this 
number  were  Apple’s  Macintosh  family  of  computers,  which  contains  another  popular  user 
interface.  (Poisson,  1995) 

In  1995  Microsoft  delivered  the  much  anticipated  Windows  ‘95  operating  system.  The 
new  system  made  it  not  only  easy  to  work  with  computer,  but  made  hardware  instillation  a  much 
simpler  task.  The  Windows  ‘95  release  broke  all  the  commercial  off  the  shelf  software  sales 
records,  once  again  proving  that  more  users  will  flock  to  a  easier  to  use.  (Poisson,  1995) 

How  does  this  relate  to  FTM?  Simply  that  more  users  will  have  access  to  the  WWW  and 
they  will  wish  to  conduct  financial  business  over  the  web.  This  growing  number  will  be  less 
computer  literate  then  their  predecessors.  These  users  will  not  want  to  install  new  hardware 
designed  for  encryption,  nor  will  they  want  to  learn  all  of  the  steps  in  running  a  complicated 
public  key  encryption  system.  They  will  want  to  use  a  system  that  allows  them  to  simply  click 
the  ‘go’  icon,  and  let  the  system  do  the  work  for  them.  This  feature  is  called  “click  and  go”.  It 
is  with  this  in  mind  that  the  designers  must  make  all  the  security  measures  invisible  to  the  user. 
(Brands,  1995) 

Below  is  a  list  of  items  that  should  be  looked  at  in  detail  when  investigating  FTM 
systems. 

►  Configuration  requirement  simple  to  follow. 

►  Availability  of  technical  support. 

►  “Click  and  Go”  approach. 

►  Number  of  steps  to  execute  payment. 
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The  needs  for  ease  of  use  and  security  may  seem  to  be  in  opposite  to  each  other,  and  in 
many  ways  they  are.  However,  the  FTM  needs  to  be  able  to  adjust  to  the  growing  demands  of 
the  market.  People  will  want  security,  they  just  will  not  want  to  work  for  it.  Figure  4  shows  the 
criteria  scale  for  ease  of  use. 
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Figure  4  Criteria  for  Ease  of  Use 

D.  TRANSFERABILITY 

The  last  of  the  key  areas  is  transferability.  In  a  open  currency  system,  such  as  the  US 
dollar,  money  may  be  exchanged  between  two  private  parties  with  little  effort.  In  a  open  FTM 
one  customer  would  be  able  to  transfer  money  to  another  customer,  in  addition  to  a  business. 
Although  this  area  will  not  be  of  high  interest  to  DOD,  the  civilian  market  may  find  it  a  highly 
desirable  item.  Although  technically  feasible,  it  will  be  difficult  for  most  FTM  system  to 
establish  such  a  system  that  will  be  both  financially  rewarding  for  themselves,  and  acceptable  to 
the  users. 
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Most  FTMs  make  their  money  from  ‘taxing’  the  total  amoimt  of  the  purchase.  For 
example,  if  a  Customer  purchased  a  chapter  from  a  book  for  two  dollars,  he  would  send  his 
voucher/check  to  the  FTM.  The  FTM  would  then  keep  a  portion  of  the  two  dollars,  ranging 
from,  say,  two  to  ten  cents,  and  forward  the  remainder  to  the  Sellers  account.  When  two 
Customers  decide  to  exchange  funds,  neither  Customer  would  be  willing  to  forgo  the  FTM’s 

percentage  cut.  How  the  FTM  deals  with  this  procedure,  or  if  it  is  allowed,  is  last  of  the  key 
areas. 

The  World  Wide  Web  has  quickly  become  an  instant  arena  for  advertising,  it  is  not  hard 
to  imagine  true  commerce  being  to  far  behind.  The  first  major  obstacle  is  the  acceptance  of  a 
Financial  Transaction  Mechanism  to  be  used  both  by  the  seller  of  goods  and  services  and  the 
buyer.  The  FTM  chosen  will  limit  the  buyer  to  a  set  of  sellers  do  to  the  differences  in 
approaches  by  the  FTMs. 
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IV.  SYSTEM  REVIEWS 


A.  FIRST  VIRTUAL 

1.  History 

First  Virtual  (FV)  founding  members  reads  like  a  who’s  who  of  the  business  and  Internet 
worlds.  Initially  incorporated  in  March  of  1994,  FV  is  a  privately  owned  company.  The 
founders  are  Lee  Stein,  a  prominent  figure  in  the  San  Diego  business  commimity,  Tawfiq 
Khoury,  a  land  developer  in  southern  California  and  Arizona,  Nathaniel  Borenstein,  chief  author 
of  the  Internet  standard  format  for  interoperable  multimedia  data  (MIME),  Marshall  Rose,  an 
area  director  for  Network  Management  in  the  Internet  Engineering  Task  Force,  and  Finar 
Stefferad,  founder  of  Network  Management  Associates,  and  Internet  pioneer  since  1975.  These 
individuals  along  with  their  strategic  partner.  Electronic  Data  Systems,  a  credit  card  and 
automated  clearinghouse  transaction  company,  have  worked  together  to  create  a  system  that 
does  not  create  ‘cyber  money’  but  uses  current  standards  to  establish  secure  credit  card 
transactions  over  the  Internet.  (FV  Background,  1995) 

2.  Procedures 

a.  Account  Acquisition 

To  establish  an  account  as  a  customer,  it  is  as  simple  as  point  and  click.  Once  the 
user  is  at  the  FV  home  page  (http;//www.fv.com),  they  click  on  the  new  account  button.  The 
user  is  instracted  to  fill  out  information  presented  on  the  form,  along  with  a  password  of  the 
users  choice.  No  credit  card  information  is  passed  over  the  Internet.  When  FV  receives  your 
request  for  an  account,  you  are  sent  an  E-mail  that  contains  follow  on  instructions  for  purchasing 
the  account,  including  an  800  number  that  must  be  called.  When  the  user  calls  the  800  number 
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they  are  greeted  by  an  electronic  voice  mail  system  that  helps  them  finish  the  transaction.  It  is 
only  during  this  telephone  conversation  that  any  credit  card  information  is  transferred.  Although 
the  phone  system  is  technically  no  less  secure  then  the  Internet,  it  does  provide  the  user  with  the 
sense  of  security.  With  in  a  few  hours  the  member  is  sent  a  new  account  pass  word  via  E-mail. 
The  new  password  consists  of  the  users  original,  plus  a  specific  prefix  that  is  provided  by  the 
company.  (FV  General,  1995) 

b.  Sanq)le  Transaction 

Transactions  on  FV  are  conducted  using  a  simple  E-mail-based  protocol.  To 
initiate  a  purchase  the  Customer  simply  “clicks”  the  purchase  button  located  on  the  page 
containing  the  information  that  they  wish  to  purchase.  This  button  initiates  a  E-mail  form  that 
allows  the  Customer  to  enter  his  or  her  password.  When  the  E-mail  is  sent,  the  Seller  may  allow 
the  Customer  to  have  access  to  the  information  requested. 

When  a  FV  receives  the  requests  for  fimd  transfer,  it  will  automatically  send  E- 
mail  to  the  customer.  The  E-mail  is  structured  to  permit  automated  handling  by  mail  software 
that  understands  the  protocols  used  by  FV,  but  also  to  be  completely  usable  with  most  ordinary 
mail  software.  When  the  Customer  receives  the  FV  mail,  they  simply  have  to  use  the  mail 
reader’s  "reply"  command,  and  send  a  reply  using  a  single  word  of  either  "yes",  "no",  or  "fraud". 
The  receipt  of  a  "yes"  answer  with  an  appropriate  transaction  code  in  the  Subject  line  and 
appropriate  source  headers  in  the  E-mail  constitutes  the  buyer's  authorization  to  First  Virtual  to 
effect  a  fund  transfer.  A  reply  of  “no”  or  “fraud”  would  not  allow  the  transfer  of  funds,  with  the 
“fraud”  initiating  necessary  procedures  to  determine  the  source.  For  this  mechanism  to  work, 
the  mail  reader's  reply  command  should  copy  the  contents  of  the  Subject  field  into  the  reply. 
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because  it  contains  a  unique  identifier  for  each  specific  authorization  request.  Customers  must 
also  have  instant  access  to  their  respective  E-mail  accounts  at  all  times.(FV  Cashflow,  1995) 

Real  funds  begin  to  flow  only  after  the  authorization  is  received  and  the 
transaction  is  passed  to  what  FV  calls  the  “below-the-line”  (BTL)  systems.  The  BTL  system 
contains  a  database  that  correlates  all  FV  account  identifier  with  a  Customer’s  credit  card 
information,  and  the  Sellers  checking  account  information.  (FV  Cashflow,  1995) 

When  a  fund  transfer  request  is  received  by  the  BTL  system,  it  is  added  to  the  list 
of  charges  awaiting  settlement  by  the  Customer,  but  not  yet  paid.  If  the  total  amoimt  of  charges 
on  the  Customer’s  settlement  list  exceeds  $10,  the  system  wall  post  a  charge  for  the  appropriate 
amount  to  the  Customer’s  credit  card,  using  the  credit  card  network  to  pre-authorize  the 
transaction.  Otherwise,  the  charge  accumulates  until  the  $10  threshold  is  exceeded  or  the  oldest 
transaction  has  been  pending  for  more  than  10  days.  When  a  charge  is  posted  to  Customer’s 
credit  card  the  on-line  portion  of  FV  is  notified,  and  an  E-mail  notification  is  sent  to  the  paying 
party.  (FV  Cashflow,  1995) 

After  the  funds  have  been  received  from  the  Customer’s  credit  card  company,  FV 
deducts  the  transaction  fees.  The  fees  are  discussed  in  the  section  below.  The  remaining 
amount  is  transferred  to  the  seller’s  checking  accormt  by  the  BTL  system.  When  this  is 
accomplished,  the  On-line  system  will  notify  the  Seller  that  a  transaction  has  been  posted  to  their 
account.  (FV  Selling,  1995) 
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3.  Cost 


a.  Customer 

The  customer  pays  an  initial  fee  of  two  US  dollars  for  registering  the  account.  If 
the  customer  wishes  to  change  account  data,  like  changing  to  a  new  credit  card,  the  customer 
will  be  charged  an  additional  two  US  dollars.  Any  fees  after  this  are  directed  to  the  supplier. 

(FV  Buying,  1995) 

b.  Supplier 

The  charges  that  a  supplier  pays  is  dependent  on  where  the  information  being 
sold  is  located.  All  suppliers  pay  an  initial  $10  registration  fee.  If  the  supplier  is  not  using  FV’s 
Infohaus,  they  pay  29  cents  for  each  purchase,  plus  two  percent  of  the  total  sale  to  FV.  When 
funds  are  transferred  to  Supplier,  an  additional  charge  of  one  dollar  is  collected  for  processing 
fees.  (FV  Selling,  1995) 

Those  that  use  the  Infohaus  are  also  charged  the  same  29  cents  per  sale,  but  they 
must  also  pay  an  additional  eight  percent  of  the  total  sale  value  to  FV.  In  addition  FV  charges 
the  users  of  the  Infohaus  $1.50  per  megabyte  of  storage  per  month.  The  totals  charged  by  FV 
approach  2%  for  those  Sellers  that  maintain  their  own  location,  and  10%  for  those  using  the 
Infohaus.  (FV  Infohaus,  1995) 

3.  FTM 

FV  would  not  provide  me  an  estimate  of  how  much  it  cost  to  execute  a  typical 
transaction,  however  it  is  reasonable  to  assume  that  FV  pays  the  standard  transaction  cost  that  all 
financial  institutions  pay  when  dealing  with  an  electronic  transaction  clearinghouse. 
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A.  NETBILL 

1.  History 

Netbill  began  as  a  research  project  in  early  1991  at  Carnegie  Mellon  University’s  (CMU) 
Information  Networking  Institute  (INI).  The  principle  researchers  have  been  Marvin  Sirbu,  a 
professor  of  engineering  and  public  policy  and  industrial  administration,  and  Doug  Tygar,  an 
associate  professor  of  computer  science,  both  at  CMU.  The  initial  goal  of  Netbill  was  to  provide 
a  means  of  making  transactions  for  small  amounts  of  information,  and  keeping  the  processing 
fees  associated  with  this  transaction  in  the  range  of  one  to  ten  cents.  (VISA/CMU,  1995) 

In  February  1995,  CMU  and  Visa  International  announced  that  they  have  formed  a 
partnership  to  develop  and  conduct  trials  of  the  Netbill  system  (VISA/CMU,  1995).  These  trials 
are  expected  to  occur  by  mid  1996,  with  a  full  production  version  ready  for  use  on  the  WWW  by 
fourth  quarter  1996.  (Deephouse,  1996)  Visa  has  viewed  this  project  as  one  portion  of  its  plan 
of  supporting  the  needs  of  its  members  in  the  electronic  commerce  market.(VISA/CMU,  1995) 
Netbill  is  in  the  process  of  negotiating  with  companies  such  as  Netscape  and  Intuit  (the  makers 
of  Quicken)  to  bundle  Netbill  with  their  software  products.  (Deephouse,  1996) 

2.  Procedures 

a.  Account  Acquisition 

Although  Netbill  has  not  started  to  accept  applicants  for  customers  or  sellers,  it  is 
believed  that  all  of  the  registration  will  occur  on  line,  via  the  use  of  WWW  forms.  These  forms 
would  be  linked  to  the  Netbill  software,  and  provide  the  necessary  security  for  private 
information. 
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b.  Sample  Transaction 

The  Netbill  transaction  starts  when  the  Customer  requests  a  price  quote  from  the 
Seller.  The  Customer  requests  a  price  quote  by  simply  clicking  on  a  displayed  article  reference. 
The  Customer's  client  application  then  indicates  to  the  checkbook  library  (NetbilTs  Customer 
accounts  database  server)  that  it  would  like  a  price  quote  from  a  particular  Seller  for  a  specified 
product.  The  checkbook  library  sends  an  authenticated  request  for  a  quote  to  the  till  library 
(NetbilTs  Sellers  accounts  database  server)  which  forwards  it  to  the  merchant's  application. 
(Netbill,  1995) 

The  Seller  must  then  determine  the  price  for  the  authenticated  user.  He  returns 
the  digitally  signed  price  quote  through  the  till  library,  to  the  checkbook  library,  and  on  to  the 
Customer's  application.  The  Customer  must  then  make  a  purchase  decision.  Assuming  the 
Customer  accepts  the  price  quote.  The  checkbook  library  then  sends  a  digitally  signed  purchase 
request  to  the  Seller’s  till  library.  The  till  library  then  requests  the  information  goods  from  the 
merchant's  application  and  sends  them  to  the  customer's  checkbook  library,  encrypted  in  a 
one-time  key,  and  computes  a  cryptographic  checksum  on  the  encrypted  message.  (Netbill, 

1995) 

As  the  checkbook  library  receives  the  bits,  it  writes  them  to  stable  storage.  When 
the  transfer  is  complete,  the  checkbook  library  computes  its  own  cryptographic  checksum  on  the 
encrypted  goods  and  returns  to  the  till  library  a  digitally  signed  message  specifying  the  product 
identifier,  the  accepted  price,  the  cryptographic  checksum,  and  a  timeout  stamp.  This  collection 
of  data  is  called  the  electronic  payment  order  (EPO)  by  Netbill.  (Netbill,  1995) 
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Upon  receipt  of  the  EPO,  the  till  library  checks  its  checksum  against  the  one 
computed  by  the  checkbook  library.  Tf  they  do  not  match,  then  the  goods  will  either  be 
retransmitted,  or  the  transaction  will  be  aborted.  Netbill  hopes  to  provide  high  assurance  that  the 
encrypted  goods  were  received  without  error.  Tf  checksums  match,  the  merchant's  application 
creates  a  digitally  signed  invoice  consisting  of  price  quote,  checksum,  and  the  decryption  key  for 
the  goods.  The  application  sends  both  the  EPO  and  the  invoice  to  the  Netbill  server.  (Netbill, 
1995) 

Tf  the  Customer  has  the  necessary  funds  or  credit,  the  Netbill  server  >vill  debit  the 
Customers  account  and  credits  the  Seller's  account,  log  the  transaction,  and  save  a  copy  of  the 
decryption  key.  The  Netbill  server  then  returns  to  the  Seller  a  digitally  signed  message 
containing  an  approval.  (Netbill,  1995) 

3.  Cost 

a.  Customer 

The  cost  to  the  customer  will  most  likely  be  negligible.  This  is  dependent  upon 
the  strategy  used  by  Netbill.  Customer  based  software  may  be  available  free  of  charge  via  the 
WWW  for  personal  use.  Professional  or  commercial  versions  may  be  introduced  at  a  cost  as  the 
project  develops.  Netbill  will  also  try  to  attempt  to  market  themselves  by  ‘bundling’  the  Netbill 
software  to  other  popular  software  titles,  such  as  Netscape  and  Quicken.  (Deephouse,  1 996) 
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b.  Supplier 

The  supplier  will  be  charged  a  very  low  flat  fee  of  approximately  $.02  per 
transaction.  In  addition  the  seller  will  be  responsible  to  pay  a  fee  of  2%-5%  of  the  total  sale  for 
the  processing  of  a  transaction.  Netbill  currently  has  no  plans  to  develop  an  electronic  market 
place,  this  means  that  each  user  must  have  access  to  their  own  resources  in  order  to  use  the 
system.  (Deephouse,  1996) 

c.  FTM 

Netbill  is  expecting  to  pay  the  same  electronic  clearinghouse  fees  as  all  financial 
institutions.  (Deephouse,  1995) 

C.  REMARKS 

The  methodologies  of  the  two  systems  reviewed  in  this  chapter  are  very  different  in  their 
approach.  In  the  next  chapter  we  will  look  at  each  FTM  using  the  criteria  developed  in  Chapter 
in,  and  rate  them.  During  this  rating,  we  will  focus  on  the  FTM  usage  as  applicable  to  a  seller  of 
information,  particularly  to  the  needs  of  Decision  Net. 
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V.  SYSTEM  ANALYSIS 


In  this  chapter,  I  will  use  the  criteria  developed  in  Chapter  III  on  the  FTM  systems 
discussed  in  Chapter  IV.  Our  primary  focus  will  be  the  FTM’s  use  in  the  selling  of  information, 
as  it  would  apply  to  Decision  Net.  Scoring  for  each  criteria  will  be  based  upon  the 
documentation  provided  by  the  providers  of  the  FTM  services,  actual  use  of  the  system  when 
available,  and  E-mail  interviews  with  the  providers. 

A.  FIRST  VIRTUAL 
1.  Security 

First  Virtual’s  policy  towards  security  measures  has  always  been  to  keep  confidential 
information  about  customers  off  the  Internet.  To  this  end  they  have  developed  a  protocol  that 
uses  e-mail,  passwords,  and  usage  notification  on  the  open  network,  and  keeps  all  critical 
financial  records  offline.  (FV  General,  1995) 
a.  Integrity 

Overall  FV  does  a  good  job  of  providing  integrity  to  their  customer  base,  with  an 
average  score  of  3.4.  The  Figure  5  below  shows  FV’s  ratings  in  each  criteria. 

Debit  authorization  and  the  need  for  unique  checks  is  conducted,  not  through 
electronic  signature,  but  through  response  to  e-mail  messages  received  by  the  Customer  from 
FV.  After  a  purchase  is  made,  FV  sends  an  e-mail  to  the  Customer,  asking  if  they  did,  in  fact, 
make  said  purchase.  If  the  Customer  does  not  respond  to  the  purchase  notification  FV  does  not 
forward  any  funds  to  the  account  of  the  seller,  and  closes  the  Customers  account  to  determine 
who  used  the  FV  account.  (FV  Buying,  1995) 
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Figure  5.  First  Virtual  Security:  Integrity  Scores 


FV  received  poor  marks  for  Receipt  of  goods  because  it  offers  no  formalized 
receipt  system.  They  consider  the  copy  of  your  notification  notice  to  be  your  receipt.  However, 
no  summary  receipt  is  sent  to  the  customer. 

Part  of  FV  is  based  upon  trust  of  the  customer.  FV  encourages  Sellers  to  transmit 
purchased  information,  prior  to  the  transfer  of  funds.  FV  feels  that  this  model  will  help 
stimulate  the  use  of  the  protocol,  and  minimize  the  loss  to  Sellers.  The  protocol  gives  the 
Customer  the  ability  to  pay  or  not  to  pay  (based  upon  the  notification  message  discussed  above), 
this  gives  them  ample  time  to  review  the  information  before  funds  are  transferred.  FV  feels  that 
they  can  police  their  users,  and  identify  those  that  are  abusing  the  protocol.  (FV  Secxuity, 

1995 ;FV  Selling,  1995) 

b.  Reliability 

FV  scored  an  average  of  4.3  for  reliability.  Figure  6  below  shows  how  FV  broke 
out  in  the  criteria.  Hardware  and  technical  knowledge  used  by  FV  provide  more  than  the 
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necessary  skills  and  equipment  to  run  both  a  continual  (24/7)  operation,  and  provide  significant 
back-up  capabilities  for  both  on-line  and  off-line  systems.  The  ability  for  FV  to  complete 
payments  could  be  a  potential  problem.  The  interaction  between  the  on-line  and  off-line 
systems  is  an  unknown  (for  security  reasons).  Due  to  this  and  FV  policy  of  purchase 
notification,  FV’s  ability  to  complete  payments  in  times  of  hardware  problems  is  unknowiL 


Figure  6.  First  Virtual  Scores  for  Security;  Reliability 


2.  Traceability 

First  Virtual  scored  an  average  of  4.0  for  its  traceability  issues.  The  detail  listing  of 
scores  is  illustrated  in  Figure  7  below. 

FV  stated  that  they  have  are  running  one  of  the  best  fire-wall  protection  systems 
available,  but  would  not  elaborate  in  any  greater  detail.  The  fire-wall  is  used  to  screen  incoming 
request,  an  additional  firewall  is  used  in  the  interface  between  the  on-line  and  off-line  systems. 
FV  claims  to  honor  the  tax  codes,  but  was  quick  to  point  out  that  it  is  the  users  (Customer  or 
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Supplier)  responsibility  to  ensure  that  proper  tax  codes  are  followed  for  any  transactions  that 
take  place.  (FV  Security,  1995) 

The  Customer  may  use  an  alias  for  the  purchase  of  on-line  material,  as  long  as  the  alias 
matches  the  name  on  the  record  at  FV.  Since  FV  holds  the  credit  card  numbers  or  bank  accounts 
of  each  of  its  users,  the  use  of  an  alias  may  only  be  effective  with  point  of  sale.  This  to  may  be  a 
jeopardy  based  upon  the  seller’s  servers  ability  to  record  hits.  (FV  Buyer,  1995) 

Multi-level  security  is  difficult  to  manage,  and  FV  may  only  provide  a  limited  amount. 
(FV  Security,  1995)  Any  data  that  is  associated  with  an  account,  name,  alias,  purchases  made, 
and  account  numbers  would  be  available  to  any  entry.  It  is  believed  that  even  a  lawful  entry, 
under  a  law  enforcement  warrant,  would  provide  all  data,  even  data  that  is  not  under  warrant. 
(FV  Security,  1995) 


Figure  7.  First  Virtual  Scores  for  Traceability 
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3,  Ease  of  Use 


FV’s  average  score  for  Ease  of  Use  is  4.0.  The  detailed  scores  for  FV  can  be  seen  in 
Figure  8  below.  FV  s  use  of  standard  mail  tools,  and  lack  of  user  software,  provide  a  quick  and 
easy  system  for  establishing  service.  FV  tech  support  is  readily  available  via  the  Internet  (E- 
mail)  or  by  telephone.  FV  also  will  provide  the  necessary  form  tools  to  help  establish  the  FV 
transactions  on  Sellers  Home  Pages. 

The  only  difficulty  that  I  had  with  FV  was  the  number  of  messages  necessary  to  complete 
a  transaction.  A  normal  transaction  v^ll  have  three  messages  that  are  generated  and  sent  to  the 
Customer.  With  out  proper  mail  organization,  this  could  be  cumbersome. 


Figure  8.  First  Virtual  Scores  for  Ease  of  Use 
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4.  Transferability 

First  Virtual  provides  no  capability  for  the  transfer  of  funds  between  two  customers. 

They  only  solution  to  this  would  be  for  one  of  the  customers  to  be  a  Seller.  However  the  transfer 
would  also  be  subject  to  all  of  the  charges  that  a  normal  transaction  would  acquire.  This  would 
be  unacceptable  undermost  circumstances,  therefore,  FV’s  transferability  score  is  0. 

B.  NETBILL 

1.  Security 

Netbill’s  basic  strategy  is  the  use  of  encryption  at  the  three  points  of  a  transaction,  that 
being  the  Customer,  Seller,  and  Netbill.  This  may  be  difficult  to  engineer,  but  it  appears  that 
Netbill  will  be  successful  in  completing  the  task. 

«.  Integrity 

NetbiU’s  average  score  for  integrity  is  3.8.  Netbill’s  protocol  is  predicated  on 
establishing  electronic  signatures  with  the  combination  of  public  key  encryption  to  establish  the 
necessary  security  needed  for  an  FTM.  The  scores  for  debit  authorization  and  check  uniqueness 
is  based  on  the  Netbill  protocol. 

The  ability  for  the  Customer  to  view  goods  prior  to  purchase  is  a  little  unclear, 
and  could  be  determined  by  the  Seller,  and  be  out  of  the  control  of  Netbill.  The  guarantee  of 
payment  is  rated  at  a  four  based  on  the  need  for  Netbill  to  interconnect  with  the  credit  card 
network  to  ensure  that  the  Customer  has  proper  funds  or  credit  available  for  the  transaction. 
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As  with  FV,  Netbill  fails  to  establish  a  system  for  the  delivery  of  a  receipt  of 
goods.  This  could  be  a  difficult  situation  for  the  Customer  who  may  need  the  receipt  for  tax 
purposes. 


b.  Reliability 

Netbill  scored  very  well  in  the  reliability  criteria,  with  an  average  score  of  5.0, 
details  can  be  seen  in  Figure  10.  Netbill  currently  is  running  on  proper  equipment  to  continue 
both  24/7  processing  and  maintain  the  necessary  back  up  capabilities  that  is  critical  to  an  FTM. 
In  addition,  one  of  the  key  points  in  the  Netbill  protocol  is  the  atomic  nature  of  payments 
(Netbill,  1995).  This  m_eans  that  if  a  transaction  can  not  be  completed,  it  will  not  be  undertaken. 
This  will  eliminate  lost  transactions,  and  provide  stability  in  the  process. 
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Figure  10.  Netbill  Scores  for  Security;  Reliability 

2.  Traceability 

Netbill’s  average  score  for  traceability  is  4.3,  and  Figure  1 1  below  shows  the  scores 
achieved  in  criteria.  It  appears  that  the  Netbill  servers  are  secure  and  should  not  be  a  problem  in 
the  future.  Also,  with  the  assistance  of  Visa  International,  Netbill  should  not  have  any  problems 
proper  tax  reporting.  Netbill’ s  Multi-level  security  is  achieved  by  the  use  and  maintenance  of 
the  encryption  session  key  used  for  a  transaction.  If  warranted  law  enforcement  needs  access  to 
the  data  base,  they  would  only  be  able  to  see  data  pertaining  to  the  session  that  they  have  the 
right  to  view.  The  others  would  be  encrypted  under  their  particular  session  key. 

As  with  FV,  Netbill’s  ability  to  allow  the  Customer  to  use  an  Alias  is  limited  due  to  the 
use  of  the  Customer  s  credit  card  account  for  closing  a  transaction.  However,  some  form  of 
pseudonym  may  be  maintained  between  the  Customer  and  the  Seller. 
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Figure  11.  Netbill  Scores  for  Traceability 


3.  Ease  of  Use 

The  average  score  for  Netbill  s  ease  of  use  criteria  is  3.8,  with  Figure  12  providing  the 
detailed  scores.  Because  Netbill  has  not  been  released  and  has  not  even  started  trial  runs,  I  was 
unable  to  play  with  the  system  and  get  the  feel  for  its  ease  of  use.  For  that  reason,  most  of  this 
section  is  based  upon  ‘impressions’  received  about  the  systems  appearance,  and  not  from  hands- 
on  use. 

The  first  appearance  of  Netbill  will  be  software  that  will  need  to  be  installed  by  the  user. 
Not  only  will  it  need  to  be  installed,  but  it  will  also  need  to  be  configured  for  the  users  browser, 
and  Internet  mail  service.  This  is  the  reason  for  the  low  score  in  easy  configuration.  If  Netbill 
provides  a  wizard  tool  that  does  most  or  all  of  the  work  for  the  user,  then  this  score  could 
change.  However,  once  Netbill  is  properly  installed,  the  purchase  of  information  will  become 
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simple  point  and  click  operation  for  simple  purchases,  with  little  to  no  follow  on  work  by  the 
customer. 

Once  Netbill  becomes  on-line,  they  have  developed  plans  for  available  technical  support 
via  both  the  Internet,  and  standard  telephone  support. 


— I —  Netbill 


Figure  12.  Netbill  Scores  for  Ease  of  Use 

4.  Transferability 

As  with  First  Virtual,  Netbill  provides  no  capability  for  the  transfer  of  funds  between 
two  customers.  For  this  reason,  Netbill’s  transferability  score  is  0. 


C.  COMPARISON 

In  this  section  I  will  compare  First  Virtual  and  Netbill.  By  comparing  the  two  FTMs  I 
hope  to  identify  and  emphasize  the  strengths  and  weakness  of  each. 
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1.  Security 


a.  Integrity 

The  approaches  that  Netbill  and  FV  took  towards  providing  the  necessary 
integrity  of  a  transaction  messages  are  quite  different.  I  feel  that  Netbill’ s  approach  though 
provides  a  far  superior  solution  to  that  proposed  by  FV.  The  primary  reason  for  this  is  Netbill’s 
use  electronic  signatures  in  their  protocol.  The  ability  to  mimic  or  duplicate  a  customers  or 
sellers  electronic  signature  is  far  greater  than  the  necessary  skills  need  to  defeat  a  FV  message. 
Figure  13  provides  comparison  scores  for  the  two  companies. 


Figure  13.  Comparison  Scores  for  Security:  Integrity 
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b.  Reliability 

Netbill’s  protocol  once  again  provides  a  superior  procedure  than  FV.  Netbill’s 
insistence  that  a  transaction  be  atomic,  is  one  of  the  keys  of  the  system.  FV  failed  to  mention 
any  protection  for  lost’  transactions,  making  it  a  target  area  for  possible  hacker  activity.  Figure 
14  below  shows  the  comparison  of  scores. 


2.  Traceability 

The  two  systems  scored  very  closely  in  the  traceability  criteria.  The  only  significant 
score  came  in  the  multi-level  security  criteria.  I  scored  Netbill  higher  in  the  category  for  their 
use  and  maintenance  of  session  key  ciyptography.  Each  transaction  is  stored  encrypted  with  the 
key  that  was  used  in  the  transaction.  This  allows  for  the  privacy  of  all  the  other  data  that  may  be 
stored  in  the  same  database.  Figure  15  shows  the  scores. 
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3.  Ease  of  Use 

The  Ease  of  Use  criteria  was  the  only  one  in  which  FV  scored  superior  to  Netbill  There 
are  two  distinct  reasons  for  this.  Fim.  FV  was  designed  to  be  simple,  and  it  is.  especially  for  the 
customer.  However  this  simplicity  has  created  some  weakness  in  the  system  compared  to 
Netbiil.  The  second  reason  is  my  inability  to  actually  use  Netbill.  Tn  my  opinion.  Netbill's  most 
serious  problem  will  not  be  its  security,  huts  its  ease  of  use.  What  may  be  a  significant  benefit 
for  Netbill  is  if  they  are  successful  in  getting  their  product  shrink-wrapped  with  either  Netscape 
or  Quicken.  The  comparison  scores  are  shown  in  Figure  1 6  below. 

4.  Transferability 

Neither  Netbill  nor  FV  had  the  capability  to  transfer  funds  between  to  customers  This  is 

primarily  due  to  the  need  of  the  FTMs  to  recoup  the  cost  of  the  transaction,  and  the  framework 
that  each  was  designed  upon. 
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Figure  16.  Comparison  Scores  for  Ease  of  Use 


D.  REVIEW 

Netbill  appears  to  be  a  superior  Financial  Transaction  System  then  First  Virtual.  The 
primary  reason  for  this  is  NetbilTs  superior  performance  in  the  areas  of  ‘Integrity’,  ‘Reliability’, 
and  ‘Traceability’.  Netbill’s  single  major  weakness  at  this  time  is  its  ‘Ease  of  Use’.  Until 
Netbill  is  released  on  the  market,  a  true  evaluation  of  its  usability  will  remain  unknown. 
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VI.  CONCLUSION 


A.  recommendations 

After  reviewing  ,he  FTMs  using  the  developed  criteria,  and  my  understanding  of  how 
Decision  Net  is  to  operate,  the  best  recommendation  that  I  can  give  is  to  wait.  Although  FV  has 
gained  a  popular  following  on  the  WWW.  I  feel  that  Netbill  will  be  a  much  better  system.  In 
addition  changes  in  the  FTM  market  that  should  take  place  within  the  next  year  or  two  will  have 
a  dramatic  effect  on  the  best  option  for  establishing  a  charge  back  system  for  Decision  Net’s  use. 


B.  SUMMATION 

If  all  current  predictions  remain  true,  the  World  Wide  Web  will  continue  to  grow  in  size 

and  popularity  for  several  years.  Ms  continued  growth  will  inevitably  lead  to  a  large  increase 

in  the  WWW’s  use  for  commercial  punioses.  The  growth  of  client  push/server  pull  capability 

will  foster  the  ability  of  advertiser  to  bring  commercialization  to  individuals,  whether  ttey  wish 
it  to  or  not. 

This  continued  growth  will  see  the  use  of  some  form  of  financial  transaction.  I  hope  that 
I  have  been  able  to  create  a  starting  point  for  people  to  investigate  the  FTM’s  as  they  become 
ailable  on  the  market.  However,  due  to  the  rapidly  changing  face  of  the  WWW,  the 
information  detailed  in  this  thesis  is  already  dated. 

As  an  additional  note,  companies  may  start  to  use  more  than  one  FTM  for  the  selling  of 
goods  or  services.  The  hope  of  the  companies  using  this  tactic  would  be  to  gain  a  larger 

market  share  by  giving  more  payment  options.  But  before  going  down  this  path  the  seller  must 
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market  share  by  giving  more  payment  options.  But  before  going  down  this  path  the  seller  must 
determine  if  the  additional  overhead  cost  of  supporting  separate  payment  mechanisms  is  worth 
the  additional  revenue  that  it  might  generate. 


C.  FURTHER  RESEARCH  OPPORTUNITIES 

At  first  glance,  their  are  several  branches  that  lead  itself  to  fiirther  research.  I  have  listed 
a  few  ideas  below. 

•  Electronic  Servmart:  Establishaprotocolthat  would  allow  the  use  of  the  WWW 
in  the  creation  of  an  electronic  servmart.  This  entity  could  increase  efficiency  at 
a  servmart  by  allowing  the  customer  to  browse  the  store  and  make  purchases 
without  every  leaving  Iheir  command.  Once  an  order  has  been  placed,  it  could  be 
processed  and  waiting  for  pickup  by  a  commands  duty  driver. 

•  Protocol  Analysis:  Conduct  a  detailed  analysis  of  the  Visa/Master  Card  proposal 
and  or  protocol.  Establish  its  ability  to  be  adapted  for  use  by  the  Department  of 
Defense  or  the  Department  of  the  Navy. 

•  Research  Funds:  Investigate  the  current  method  of  transferring  the  fimds  for 
research  money,  and  create  a  WWW  application  that  could  simplify  the  process, 
to  include  the  electronic  transfer  of  funds. 

D,  THE  FUTURE 

The  future  for  FTM  on  the  WWW  lies  not  with  third  party  transaction  systems,  as 
detailed  in  this  thesis,  but  with  direct  Internet  access  to  the  credit  suppliers.  Both  Visa  and 
Master  Card,  the  two  largest  credit  card  companies,  have  joined  forces  to  develop  an  open 
protocol  for  the  use  of  any  credit  card  on  the  Internet.  (Visa/Master  Card,  1995) 
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This  open  protocol  would  allow  the  users  to  purchase  goods  or  services,  with  funds  being 
exchanged  at  the  credit  card  company,  vice  the  third  party.  Although  a  working  protocol  may 
take  anywhere  from  six  months  to  three  years  to  develop  and  mature,  once  it  does  get  released  to 
the  general  WWW  population,  it  is  sure  to  gobble  most  of  the  financial  market  share.  In  the 
meantime,  systems  such  as  First  Virtual  and  Netbill  will  continue  to  provide  the  necessary  tools 
for  the  continued  growth  of  Internet  commerce.  (Visa/Master  Card,  1996) 
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APPENDIX.  WORLD  WIDE  WEB  RESOURCES 
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First  Bank  of  Internet  (FBOI)  Opens 

Vinn  Beigh  <  fboi(a),netcom.  com  > 

Sun,  19  Mar  1995  23:03:43  -0800 


/\ 

ANNOUCEMENT 

For  immediate  release:  Contact:  fboi@netcom.com 

Monday/  March  20,  1995  Subject  of  ’info’  for  details 

Direct  questions  to  Vinn  K.  Beigh 

The  First  Bank  of  Internet,  FBOI,  is  announcing  the  initiation  of  transaction  processing  services  for 
Internet  electronic  commerce.  Purchases  over  the  Internet  can  now  be  made  without  exposing  personal 
credit  card  information.  Vendors  can  now  sell  products  on  the  Internet  without  the  restrictions  imposed 
by  credit  card  use. 

Other  Internet  pmchase  procedures  require  personal  credit  card  information.  Those  proceedings  will  be 
monitored  by  thousands  of  people  all  over  the  world.  Some  will  attempt  to  either  decode  the  credit  card 
information  or  impersonate  the  customer  in  future  transactions. 

The  alternative  to  personal  credit  cards  for  electronic  commerce  is  based  on  an  FBOI  procured  Visa  (tm) 
Automated  Teller  Machine  (ATM)  card.  The  card  is  prepaid,  PIN  protected,  replaceable,  disposable, 
and  good  at  over  200,000  Visa/PLUS  (tm)  ATMs  in  83  countries. 

The  safety  of  FBOI  is  ensured  because  access  to  ATM  funds  without  possession  of  both  the  ATM  card 
and  the  Personal  Identification  Number  (PIN)  is  not  possible.  ATM  cards  are  also  better  than  credit 
cards  because  their  purchase  does  not  require  the  personal,  financial,  and  employment  background  of 
the  consumer. 

The  Visa  ATM  card  is  not  a  credit  card.  It  is  cash.  The  ATM  card  will  be  used  as  a  checking  account. 
Using  an  ATM  card  allows  consumers  to  set  aside  dedicated  funds  for  Internet  data  purchases.  It 
provides  a  safe,  secure  way  to  transfer  cash  from  consumers  to  producers.  In  addition,  consumers  can 
reclaim  their  funds  at  any  time  using  an  ATM. 

A  check/invoice  procedure  is  used  that  consumers  will  find  familiar.  The  consumer  first  places  an  order 
with  a  vendor.  The  consumer  then  sends  to  the  vendor  or  FBOI  an  e-mail  'check'  for  the  purchase  of  the 
program/file/data  product.  The  vendor  sends  FBOI  an  e-mail  'invoice'.  FBOI  will  reconcile  the 
transaction  and  send  e-mail  transaction  receipts  to  both  the  vendor  and  customer.  Cash  will  be  taken 
from  the  customer  ATM  account  and  credited  to  the  vendor  for  later  payment.  FBOI  charges  a  5% 
vendor  commission  per  transaction. 
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Producers  of  software,  information  collections,  newsletters,  graphics,  and  other  data  products  can  use 
FBOI  services  for  the  sale  of  their  products.  These  vendors  can  sell  their  products  for  prices  that  would 
be  too  low  for  credit  card  transactions.  Subscription  services  that  charge  an  up-front  fee  for  one  time 
access  to  data  depositories  and  services  also  can  participate. 

Vendors  will  benefit  from  a  very  large  consumer  base  because  this  global  solution  works  just  as  well 
outside  the  U.S.  as  within  the  U.S..  The  Visa  ATM  network  is  worldwide.  Consumers  will  benefit  from 
a  veiy  large  vendor  base  because  software  produced  in  non-North  American  countries  can  be  offered  for 
sale  much  easier  than  now. 


The  worldwide  producers  on  the  Internet  can  use  FBOI  services  without  the  expense  of  owning  or 
renting  a  dedicated  Internet  server  or  a  World-Wide  Web  site.  E-mail  is  the  cheapest  and  simplest  of  all 
Internet  services.  Large  Internet  commercial  services  will  soon  be  starting  that  provide  only  for  the 
on-line  purchase  of  catalog  products.  It  will  not  be  possible  for  the  individual  producer  to  sell  a  data 
product  using  those  services.  Those  services  will  collect  the  consumers  credit  card  information  in 
advance  because  of  Internet  security  problems. 

FBOI  transmits  no  sensitive  information  over  the  Internet  and  prevents  forgery  and  impersonation  by 
using  Pretty  Good  Privacy,  PGP  (tm),  software  for  all  transactions.  This  freeware  provides  excellent 
authentication  and  anti-alteration  security. 

In  addition  to  the  unsecured  nature  of  the  Internet,  consumers  should  be  hesitant  giving  out  their  credit 
card  information  to  vendors  of  unknown  credibility.  Tracking  is  much  harder  on  the  Internet  than 
magazine  direct  marketing.  Also,  it  is  not  the  same  as  mail  order  merchandise  since  U.S.  Postal  Service 
and  Federal  Trade  Commission  mail  order  laws  do  not  apply  to  the  Internet. 

For  high  volume,  low  cost,  transactions  directly  between  producers  and  consumers  on  the  Internet 
contact  FBOI. 


Further  information  can  be  obtained  from  The  First  Bank  of  Internet  by  sending  an  e-mail  message  with 
the  subject  "info"  to  <fboi@netcom.com>. 


Visa  is  a  trademark  of  Visa  International  Service  Association.  PLUS  is  a  trademark  of  Plus  System,  Inc. 
PGP  and  Pretty  Good  Privacy  are  trademarks  of  Philip  Zimmermann.  The  First  Bank  of  Internet  (trn)  is 

not  a  lending  institution,  and  is  not  chartered.  HI _ 
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Abstract:  As  business  is  moving  from  face-to-face  trading,  mail  order  and  phone  order  to  electronic 
commerce  over  open  networks  such  as  the  Internet,  crucial  security  issues  are  being  raised.  While  EFT 
over  financial  networks  is  reasonably  secure,  securing  payments  over  open  networks  connecting 

f challenges  of  a  new  dimension.  This  paper 
reviews  the  state  of  the  art  inpayment  models  and  technologies,  and  sketches  emerging  developments 


1  Introduction 


Since  the  dawn  of  history  there  was  trading  between  two  parties  exchanging  goods  face-to-face. 


48 


the  pnnfng  of  ™ney  New  steps  were  taken  when  payment  orders,  eheques,  SateTS^moi^ 

iTtTk  T'^ 

nen  Duyer  and  seller  are  not  face-to-face  is  impossible:  either  the  buyer  must  take  the  risk  of  sendina  m 
a  payment  before  havtng  reeeived  his  purchase  or  the  seller  must  send  fte  purcteed  items  before*  ” 
tavrng  received  the  payment.  Phone  order  purchases  are  even  worse  since  rsiSu^all  crbe 
provided,  the  seller  rims  the  nsk  that  the  buyer  may  deny  having  made  the  purcSe  and  demand  a 
refund  even  after  he  has  received  the  goods.  Without  new  security  measmes^nvi 
commerce  over  open  computer  networks  is  utopic.  This  paper  discusses  electronic  p^^CTem  mCdCTs  in 
Section!,  secunty  requirements  in  Section  3.  and  emerging  technologies  in  Section4^ 


2  Electronic  Payment  Models 


®  to  exchange  money  for  goods  or  services 

institution  which  links  "bits"  to  "money."  In  most  existing^yment  systems 
this  role  IS  divided  into  two  parts,  an  issuer  (used  by  the  buyer)  and  an  acquirer  (used^  the  seller).  ’ 

The  electromc  payment  from  buyer  to  seller  is  implemented  by  a  flow  of  real  money  from 

°  ^  by  movmg  mou^  ou.  of  a 

□  issuer  to  acquirer  (clearing), 

□  acquirer  to  seller  (deposit,  e.g.,by  putting  money  into  the  seller's  account). 

(if  loading  cash  via  a  reverse  atm 

is  possible)  of  the  buyer  is  debited  a  certain  amount  which  can  be  used  for  parents  afterwardc 
C^d-based  electromc  purses,  electronic  cash  as  well  as  (certified/guaranteed^  KanV  ^.11  in  thic 

category.  In  pay-now  payment  systems,  the  buyer's  account  is  debited  at  the  timeTfoa^nt  ‘attCt  r«rH 
based  systems  (like  flte  European  edc-system)  fall  in  this  oategoty.  h 
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systems,  the  seller's  bank  account  is  credited  the 
Credit  card  systems  fall  in  this  category. 


amount  of  the  sale  before  the  buyer's 


account  is  debited. 


3  Security  Requirements 

The  secunty  requirements  of  electronic  payment  systems  vary  depending  on  their  features  and  the  trust 
assumimons  m  on  then  operation.  Therefore,  if  is  not  possible  to  provide  a  tol  sSc“,oi  tow  fo 
secure  them.  Generally,  though,  one  or  more  of  the  following  illusive  requiremerm^TnJr 

Integrity  and  authentication: 

□  Messages  Aat  authorize  debit  of  a  buyer's  account  need  to  be  signed  by  that  buyer  to  guarantee 

that  unauthonz^  parties,  including  the  issuer  itself,  cannot  draw  on  the  buyer's  accoiSTSTut 
an  explicit  proof  that  the  buyer  authorized  the  debit.  ^ 

□  ^th  the  buyer  and  the  banks  involved  want  to  make  sure  that  such  signed  payment  authorizations 
are  unique  and  cannot  be  submitted  twice  by  a  claimed  seller. 

0  The  buyer  may  dem^  from  the  seller  a  signed  acknowledgemern  that  the  purchased  goods  or 

°  ^at'!;rrdX‘Su^r.“’““'  “  ^oods  or  services  are 

Confidentiality: 

□  &me  or  ^1  parties  involved  may  wish  confidentiality  of  the  transaction,  whereby  i-l-otitv  of  the 

oX;,  a  Sse^tlT:"'’  panicipants  hriS^S 

only  to  a  subset  ot  them  (e.g.,  where  untraceability  is  desired). 

Availability  and  Reliability: 

□  All  parties  are  interested  in  being  able  to  perform  payments  whenever  necessar^^ 

a^ent  transactions  must  be  atomic,  i.e.,  happen  entirely  or  not  at  all,  but  never  hang  in  an 

Availability  and  reliability  presuppose  that  the  undeiying  networking  services  and  all  software  and 

Shl^T  sufficiently  dependable.  Recovery  from  crash  failures  requires  some  sort  of 

all  parties  and  specific  resynchronisation  protocols.  These  fault  tolerance  i<=«»es  are  not 
discussed  in  the  following,  since  most  payment  systems  do  not  address  them  explicitly 
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ETto  rj^^^ovS^TS  smm‘“T  T  ”"“'  ™‘*'‘^’ 

T.ese.ech„o.o^„p«o.a..Iu3aJ^r.HlSS:;rg^;^^^^^ 


4  Technology  Overview 

tntSTte  Sterna  la  T T ‘ ’ '’“" '“ 
dishonest  buyer  from  doing  unauthorised  payments.  For  insSiI!J“  t  E^te’SsWrrs'SS'th 

“”dr„rhir-ty=c^ 

°  as  a  "legal"  payer  (e.g.,  by  means  of  a  public-key  certificate)  and  the 

□  The  payment  is  authorised,  i.e.,  the  seller  is  convinced  that  he  will  receive  the  money. 

4.1  On-line  vs.  off-line 

limtlS*; 


51 


(i.e.,  beyond  100  ECU).  CAFE  is  the  only  system  that  provides  strong  buyer  anonymity  and 
ratraceabihty.  Both  systems  offer  the  buyers  an  electronic  wallet,  preventing  the  ^iSoiown 

t^rSrhTndltTff  multi-currency  purses,  i.e., 

they  can  handle  different  currencies  simultaneously.  ^ 

tWA®  payments,  but  currently,  they  aren't.  The  main  obstacle  is 

^  ^  smaitcard  reader  attached  to  the  buyer's  PC  or  workstation.  Inexpensive  PCMCIA 
smartcard  readers  and  standardised  infrared-interfaces  on  notebook  computers  can  solve  this 

approach  taken  in  the  recently  announced  First  Bank  of  Interrupt 
system,  based  on  the  newly  announced  VISA  electronic  purse. 

Another  system  that  be  developed  in  this  spirit  is  the  FSTC  Electronic  Check,  that  will  use  a 
tamper-resistant  PCMCIA  card,  and  will  implement  a  cheque-like  payment  model. 

teZf^trl  authorisation  could  be  done  pre-authorisation 

sta  “iiiifeS 

Whether  off-line  authentication  requires  tamper-resistant  hardware  or  not,  depends  on  the  cryptosranhic 
primitives  used,  and  on  how  trustworthy  the  buyefs  PC  or  workstation  is  from  the  buyer's  pdirt  of^ew. 

4.2  Tamper-resistant  Hardware 

^  aJr^y  mentioned  m  |ectfpn4.}.  for  the  issuefs  seenrity,  most  off-line  payment  systems  require  a 
Kcfr^^h?issSr  hardware  in  the  buyer’s  device.  In  a  certain  sense,  this  piece  is  a  "pocket 

^dependent  of  the  issuer’s  security  considerations,  it  might  also  be  in  the  buyer's  interest  to  have  a 

could  be  just  a  smartcard,  but  in  the  long 
run,  It  should  be  at  l^t  a  smartcard  reader  with  its  own  keyboard  and  display  for  entering  a  PIN  and  ^ 
Simple  commands.  This  is  often  called  an  electronic  wallet. 

Without  such  a  secure  device,  the  buyer's  secrets,  i.e.,  the  buyer's  money,  are  vulnerable  to  anvbodv  who 
wfe  mp  buyers  machine^This  is  obviously  a  problem  in  multi-user  environments,  but  afro  on 
single-user  machines  Aat  may  be  accessed  directly  or  indirectly  by  others,  and  where  a  virus  for 
instance,  could  steal  PINs  and  passwords  while  they  are  entered. 

’’T'  4  Trojan  horse  in  his  or  her  PC  cannot  reveal  PINs 

'’y  sending  marl  to  a  remote  attacker,  or  by  simply  asking  the  smartcard  to  make  a 
^yment  to  the  att^kers  account,  silently.  Therefore,  for  real  security  trusted  input  and  output  channels 
a^dT^IJiS"  workstation”  must  emst,  e.g.,  using  an  electronic  wallet  with  its  own  display 

4.3  Cryptography 
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"Crypto-less"  Systems 


Generic  "Payment  Switch" 

s,S  “■“  “  *=  i-« .  f»*li<>key  coTtogmphy  is  used  for  this 

Shared-key  Cryptography 


^ox  shared-key  cryptography,  the  buyer  and  merchant  on  the  one  side  and  that  party  oerformine 
pusswSr  ("■« .  a  DEsS^ii),  or  at  least  a 

r»;2«  SrsSi'E'ssjs""  — t. 

Usually,  tamper-reststaut  security  modules  in  point^f-sale  terminals  am  us  J'io  proWteS^. 
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Shared-key  cryptography  is  used,  e.g.,  by  the  off-line  systems  Danmont  and  Proton  and  the  on-line 
systems  SNP^,  mBill(S)  (by  Cameg/.  Mellon  University,  CMU),  and  NetcZaTmihv 
University  of  Southern  California).  ^  ^ 

NetBill  and  NetCheque  are  based  on  the  Kerberos  technology,  and  focus  on  "micro-payments."  Both 
implement  a  cheque-like  debit  payment  model.  The  use  of  shared-key  technology  is  justified  by  the 
performance  required  to  process  many  micro-payments  in  short  time. 

In  February  1995,  VISA  and  CMU  announced  a  cooperation  to  develop  NetBill,  probably  in  the  direction 
of  using  asymmetric  cryptography,  for  commercial  purposes. 

Public-key  Cryptography 

For  pubhc-key  ciyptography  the  buyer  has  a  secret  signature  key  and  a  certificate  for  his  corresponding 
public  signature  venfication  key  (e.g.,  issued  by  the  payment  system  operator  or  a  specific  issuer)  In 
most  existing  and  proposed  systems,  RSA  is  used  (but  there  are  several  alternatives). 

Digital  signatoes  provide  non-repudiation,  i.e.,  disputes  between  sender  and  recipient  of  a  signed 
message  can  be  resolved.  This  should  be  mandatory  at  least  for  high-value  pa5mients. 

Off-line  authentication  is  no  problem  here,  since  the  seller  can  easily  verify  a  signature  of  the  buyer 
(and  could  check  the  certificate  against  a  local  copy  of  a  blacklist  of  "bad"  certificates,  if  necessary) 
Authonsation  still  requires  either  an  on-line  connection  or  trasted  hardware  at  the  buyer. 

cryptography  ^\\  be  used,  e.g.,  by  the  off-line  systems  Express  (by  Europay)  and  CAFE. 
Most  Of  the  proposed  on-line  payment  systems  use  public  key  cryptography; 

Rather  general  mVW security  schemes  using  public-key  cryptography  are  SHTTP  and  SSL  Neither 
payment  technology  per  se,  but  they  are  suggested  for  securing  also  payment  informati^ 

SSL  is  an  Mtemet  socket-layer  communication  interface  allowing  buyer  and  seller  to  communicate 
secmely.  Netscape  Communications  Corporation  (which  proposed  SSL)  is  offering  payment 
mechanisms  based  on  that  secure  interface.  SSL  does  not  support  non-repudiation. 

SHTp>  is  a  secure  extension  of  the  HTTP  protocol  used  on  the  Internet  World-Wide  Web  fWWWi 
developed  by  the  ^qinmerceNet  consortium.  SHTTP  offers  several  security  techniques,  e.g.,  signing  and 
encrypting  with  RSA,  on  top  of  which  vanous  payment  protocols  may  and  will  be  implemented. 

Both  SSL  and  SHTTP  offer  a  selection  of  symmetric  and  asymmetric  cryptographic  technologies 
Because  of  the  open  access  these  technologies  offer  to  strong  cryptographic  primitives,  they  ^ e  all 
subject  to  U  S.  export  restrictions.  Exportable  versions  will  be  available  but  they  will  be  using  'tamed' 
(less  secure)  cr^tographic  technologies.  It  is  very  questionable  whether  banks,  merchants  and 
customers  outside  North  Amenca  will  be  interested  in  such '  second-grade'  technologies 


IS  a 
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are  e.g.,  ecash  (by  Di^iCash),  NetCash  Tbv 

{im(by/5A^).  - ^  ^ 

‘r.ssssss’’  p.™« !«« 

putfonn.  unae  some  ofl.er  designs  4  m<,uim 

4.4  Anonymity  of  Buyer 

Sriite;^;S;eT(“y"^o"lMSTrh  r"'*  “■“■•y-  so*  ^  usefld  for 

unnaceable.'^^dXSln^Sio  e^^ 

cerminly  not  the  sellers  (shops,  publishers,  etc.),  but  in  so^Sses  n^evL  fte  2'^'"'”'™'“'' 

is=sss=s=~= 

■=5S^3st-5S5gg='aa 

5  Summary  and  Outlook 
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B^ause  of  the  limited  space  in  this  article,  we  were  not  able  to  describe  tiie  technical  details  of  the 
(hfferent  payment  systems  listed.  However,  even  the  high-level  overview  and  the  rich  set  of  references 
should  have  made  it  cle^  that  the  technology  that  is  necessaiy  for  secure  electronic  Internet  payment 
^Swe^  Achieving  security  for  all  parties,  inclusive  perfect  untraceability  for  the  buyer,  is 

Currently,  no  prcyosal  or  system  is  dominant,  but  with  high  probability  this  will  change  within  the  next 
two  years  at  most.  But  the  question  "Which  payment  system  will  be  used  on  the  IntemetT  will  not  have 
a  single  answer.  Several  payment  systems  will  coexist: 

□  Mcro-pa^ents  (less  than  1  ECU),  low-value  payments  (1-100  ECU)  and  high-value  payments 
nave  significantly  different  security  and  cost  requirements. 

Possibly,  high  values  will  be  transferred  using  non-anonymous,  on-line  payment  systems  based  on 
asymmetoc  cijptography,  implementing  a  cheque-like  or  credit-card-like  payment  model.  As  soon  as 
smartcard  readers  are  available  at  PCs  and  workstations,  small  amounts  might  be  paid  using  pre-paid 
otf-line  payment  systems  that  provide  a  certain  degree  of  untraceability  (like  real  cash). 

□  Payment  systems  with  and  without  tamper-resistant  hardware  at  the  buyer  will  coexist  for  some 
ttme.  Ultimately,  payment  systems  based  on  smartcards  and  electronic  wallets  (having  their  own 
display  ^d  keyboard,  and  communicating  with  the  buyer's  terminal  via  an  infrared  interface)  will 
become  dominant,  since  they  clearly  provide  better  security  and  enable  the  buyer  to  use  untrusted 
terminals  without  endangering  security. 

□  Probably,  a  few  almost  equivalent  payment  systems  will  coexist  for  the  same  areas  of  application 
(i.e.,  payment  model  and  maximum  amounts).  The  reasons  are  various  "cultural"  differences  in 
the  business  and  payment  processes  (e.g.,  between  the  U.S.  and  Europe),  national  security 
considerations  that  might  disable  some  solutions  in  some  countries,  and  competition  between 
payment  system  providers. 


Footnotes 


^■//ww.mon<tex.coin/mondexdiome.htm;  see  also:  Richard  Rolfe:  Here  Comes  Electronic 
Cash;  Credit  Card  Management  Europe,  Januaty/February  1994, 16-20. 

^://^.^ch  ibm.cyechnology/Securitv/sirene/t?roiects/cWe/index.h^  see  also  Jean-Paul 
ESPIOT  Prpiect  CAFE  -  High  Security  Digital  Payment  Systems:  ESORICS  '94 
LNCS  875.  Spnnger-Verlag.  Berlin  1994. 217-220 

bttp://ww.openmarket.coni/about/technical/;  see  also:  David  K.  Gifford,  Lawrence  C.  Stewart 

^drew  C.  Payne,  G.  Winfield  Treese:  Payment  Switches  for  Open  Networks;  IEEE  COMPCON 
March  95.  ’ 

We  do  not  provide  references  to  cryptographic  algorithms  in  this  overview.  For  an  introduction 
and  a  descnption  of  most  of  the  cryptographic  algorithms  used  for  electronic  payment  systems, 
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(5) 

(6) 

(7) 

(8) 

(9) 

(10) 


(11) 


(12) 


see  Bruce  Schneier:  Applied  Cryptography;  John  Wiley  &  Sons,  1994. 

For  some  examples  on  the  consequences  of  no  non-repudiation  see:  Ross  Anderson-  Whv 
Cryptosystems  Fails:  Communications  of  the  ACM  37  1 1.  November  1994  ■^2-41 
For  an  example,  see:  Integrated  Circuit  Card  Specifications  for  Payment  Systems' 
Europay/MasterCardA/ISA,  October  1994. 

S^ereiKe^iyy/  ^  Simple  Network  Payment  Protocol:  Computer  Security  ApDlications 

http://www.ini.cmu.edu/netbi11;  see  also:  Marvin  Sirbu.  J.  D.  Tvear:  NetBill-  An  Internet 
Commerce  System:  IEEE  COMPCON.  March  95  " 

glifford  Neuman  Gennady  Medvinsky:  Requirements  for  Network  Payment-  The  NetCheniie 
Perspective:  IEEE  COMPCON.  March  95  - ^ 

http7/wvyw.z^ch.ibm.ch/Technology/Security/extern/ecommerce/:  see  also:  Mihir  Bellare  Juan 
A  Garay,  R^alf  Hauser,  Amir  Herzberg,  Hugo  Krawczyk,  Michael  Steiner,  Gene  Tsudik,  Michael 
Waidner.  A  Family  of  Secure  Electromc  Payment  Protocols;  IBM  T.J.  Watson  Research 
Centre  and  IBM  Zurich  Research  Lab,  Draft,  March  1995. 

David  Chaum:  Achieving  Electronic  Privacy;  Scientific  American,  August  1992  96-101  David 
Cha^:  Pnvacy  Protected  Payments;  SMARTCARD  2000,  North-Holland,  Amsterdam  1989, 

|ttp://ww  research,  att.eom/index.html#acc;  see  also:  Steven  H.  Low,  Nicholas  F.  Maxemchuk 
wfty  Mifc  Conference  on  Computer  and  Communication 
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For  Immediate  Release 


Visa  and  MasterCard  Working  Together  to  Support 
Specifications  for  Secure  Card  Transactions  on  the  Internet 


Transactions  on  the  Internet 

l^W  YORK  &  SAN  FRANCISCO,  June  23,  1995  -  MasterCard  International  and  Visa 
International  today  announced  that  the  two  associations,  will  integrate  their  current  efiforts  to  provide  a 

woHH  hfiH  pwch^es  on  open  networks  such  as  the  Internet.  Consumers  around  the 

world  hold  more  than  690  million  bankcards,  and  with  this  security  it  means  using  those  cards  to 
coquet  transactions  in  cyberspace  will  soon  be  as  secure  as  using  a  card  at  a  physical  point  of  sale 


^jsa  and  MasterCard  will  support  specifications  expected  to  be  published  by  September  and 
Mticipate  that  consumers  will  be^n  participating  in  secure  card  transactions  on  the  Internet  in’early 
tec^^l  hrforaSn*^  associations  are  agreeing  upon  a  common  set  of  requirements  and  sharing 

siycification  supported  by  MasterCard  and  Visa  will  be  open  and  available  to  all 
entities.  This  standard  will  provide  payment  secunty  for  all  bankcard  transactions;  other  security 
protoco  s  can  be  used  to  protect  personal  data.  The  new  standard  also  will  facilitate  deployment  of 
personal-computer  (PC)  software  to  incorporate  payment-security  applications. 

requirement  necessary  to  grow  a  new  market  is  consumer  and  merchant  confidence  A 
seeme  transaction  ^^lthln  a  seewe  payment  system  is  the  foundation  of  that  confidence,"  said  Edmund 
Jensen,  president  and  CEO  of  Visa  International.  "Establishing  that  environment  for  our  member 
institution  ~  and  their  consumers  and  merchants  -  is  the  purpose  of  our  groundbreaking 
efforts  to  forge  partnerships  that  bndge  the  worlds  of  high-tech  and  financial  services.  Working  together 

deveTonlTnrr  7"^"^  acceptance  and  use  is  a  crucial  step  infhe 

Stemet "  commerce  -  and  will  be  the  significant  enabler  in  the  commercial  ^owth  of 

"Establishing  one  stendard  for  card  purchases  on  the  Internet  is  absolutely  the  right  thing  to  do  for 
wnsumers  m^hante  and  financial  mstitutions  worldwide,"  said  H.  Eugene  Lockhart,  CEO  of 

^^Slem  e^mnl'e  “Tt  ?  ^  chip^^rd  specifications  are 

an  excellent  example  -  that  benefit  consumers  worldwide.  And,  it’s  exciting  that  we  will  do  the  same  in 


where  necessary,  operates'^  sSl  as  I  sf  ?  *"  'o  SET. 

tests,  an  updated  version  of  the  specification  will  be  publish  for  STeXo'^™"''™ 

httpyw'jL^”  Visa’s  Web  address  is 


hotter  PrSSTfa  ^meShi^Sl  MoTT 

243,000  MasterCard/Cirrus  ATMs  worldwide  MasterCard’s  nin^”  locations,  including 

«  and  delivery  systems  continues  to 

a  pivotal  role  in  developing  and  fm^ementing  ^iTtwS  Th  payment  system.  It  plays 

financial  institutions  and  4ir  cardholders  biLeTs^^nv  ^®' 

million  cards  are  accepted  by  more  than  1 2  2  mini  the  global  economy.  Visa's  442 

global  ATM  network.  worldwide.  Visa/PLUS  is  the  largest 
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For  Immediate  Release 


Visa  &  MasterCard  Combine  Secure  Specifications  For  Card 
Transactions  On  The  Internet  Into  One  Standard 

Move  expected  to  accelerate  development  of  electronic  commerce  and  bolster  consumer  confidence 

in  the  security  of  cyberspace  transactions 

PURCHASE,  NY  &  SAN  FRANCISCO,  February  1, 1996  —  Addressing  consumer  concerns 
about  making  purchases  on  the  Internet,  MasterCard  International  and  Visa  International  joined  together 
today  to  announce  a  technical  standard  for  safeguarding  payment-card  purchases  made  over  open 
networks  such  as  the  Internet.  Prior  to  this  effort.  Visa  and  MasterCard  were  pursuing  separate 
specifications.  The  new  specification,  called  Secure  Electronic  Transactions  (SET),  represents  the 
successful  convergence  of  those  individual  efforts.  A  single  standard  means  that  consumers  and 
merchants  will  be  able  to  conduct  bankcard  transactions  in  cyberspace  as  securely  and  easily  as  they  do 
in  retail  stores  today. 

The  associations  expect  to  publish  SET  on  their  World  Wide  Web  sites  in  mid-February. 
Following  a  comment  period,  the  joint  specification  is  scheduled  to  be  ready  for  testing  in  the  second 
quarter  1996.  Visa  and  MasterCard  expect  that  banks  will  be  able  to  offer  secure  bankcard  services  via 
the  Internet  to  their  cardholders  in  the  fourth  quarter  1996. 

Participants  in  this  effort  with  MasterCard  and  Visa  are;  GTE,  IBM,  Microsoft,  Netscape 
Commumcations  Corp.,  SAIC,  Terisa  Systems  and  Verisign.  Also,  SET  will  be  based  on  specially 
developed  encryption  technology  from  RSA  Data  Security. 

"This  is  the  first  step  in  making  cyberspace  a  profitable  venture  for  banks  and  merchants.  A  single 
standard  limits  unnecessary  costs  and  builds  the  business  case  for  doing  business  on  the  Internet,"  said 
Edmund  Jensen,  president  and  CEO  of  Visa  International.  "Further,  our  work  with  MasterCard 
demonstrates  our  unwavering  commitment  to  address  the  needs  of  our  member  financial  institutions, 
and  their  merchants  and  cardholders. " 

H.  Eugene  Lockhart,  CEO  of  MasterCard,  said:  "MasterCard  has  viewed  one  open  standard  for 
secure  card  purchases  on  the  Internet  as  a  critical  catalyst  for  electronic  commerce  because  it  bolsters 
consumer  confidence  in  the  security  of  the  electronic  marketplace.  A  single  standard  has  always  been 
our  objective  because  it  is  in  the  best  interests  of  not  only  consumers,  but  also  merchants  and  financial 
institutions  worldwide.  We  are  glad  to  work  with  Visa  and  all  of  the  technology  partners  to  craft  SET." 
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the  dynamic  environment  of  the  Internet.  Our  objective  is  to  ensure  that  every  transaction 
what  type  it  is  and  no  matter  where  it  occurs,  is  processed  quickly,  securely  and  reliably."* 


no  matter 


The  specificatioiK  supported  by  the  associations  will  call  for  the  use  of  extensive  encryption 
capabrhtres  based  on  RSA  Data  Secunty  to  protect  card  transactions  on  the  Internet  and  other  networks 

pi^chases  and  payments  performed  on  open  networks  such  as 
the  Internet  will  function  similarly  to  other  bankcard  purchases. 


u  transacttons  over  open  networks  is  cmcial  for  both  card  associations.  Bankcards 
represent  the  best  payment  optron  for  users  of  the  Internet,  and  that  use  will  expand  exponentially  as  the 
market  continues  its  explosive  growth.  Protecting  and  leveraging  their  powerful  brands  in  a 

key  to  Visa  and  MasterCard.  With  a  combined  global-transaction  volume  of 
more  than  $1  tnlhon^the  associations  joint  work  m  establishing  security  standards  on  the  Internet  will 
be  a  forceful  engine  for  its  continued  growth. 
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